Block websites http and https without Web Proxy / 100% works

RouterOS Beginner Basics
1

Today i am sharing my little experience with beginner like me, you can understand my post from title so no other words and lets start.
This method will not effect any other website, i would like to block Facebook in my example.

1: Add website in Layer7 Protocol.

/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"

2: Add your DNS, ISP and your DSL modem IPs and gateway in firewall address list for exception.

/ip firewall address-list
add address=8.8.8.8 list=not_this_dst
add address=8.8.4.4 list=not_this_dst
add address=10.0.0.1 list=not_this_dst

3: Create mangle rule for filter facebook IPs

/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=tcp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=facebook address-list-timeout=0s layer7-protocol=facebook

Now you get all facebook IPs from firewall connections in firewall address list like this,




4: Now create another mangle rule for facebook connection from filtered IPs list.

/ip firewall mangle
add chain=forward action=mark-connection new-connection-mark=facebook 
     passthrough=yes dst-address-list=facebook

5: Now block this facebook connection from firewall filter

/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 connection-mark=facebook

If you want to allow facebook to some or one user you can add exception IPs in rule, for this add those IPs in firewall address list

/ip firewall address-list
add address=192.168.88.101 list=not_this_src
add address=192.168.88.120 list=not_this_scr
add address=192.168.88.155 list=not_this_src

Remove previous firewall filter rule and add new like this

/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 
     src-address-list=!not_this_src connection-mark=facebook

Or you can edit and add IPs in your previous rule.
Are we done? NO.

Someone bypass your mikrotik firewall using VPN tool, in this condition you can use OpenDNS for block proxy or VPN tools.

Note: This method will not works just for youtube, you can block youtube videos from L7

/ip firewall layer7-protocol
add name=videos regexp=videoplayback|video

Sorry, i made some mistake in my method, now i edit it.
Thank You.

2

That is of course very far from the truth… but when you are satisfied, we are all happy!

3

I am absolutely satisfied with this method :slight_smile:

And i would like to tell everybody that if website use both tcp and udp protocol then you should add another mangle rule like this:

/ip firewall mangle
add chain=forward action=add-dst-to-address-list protocol=udp 
     src-address=192.168.88.0/24 dst-address-list=!not_this_dst 
     address-list=abc address-list-timeout=0s layer7-protocol=abc
4

That is important.
But I would recommend other readers of this topic not to use it.

5

To make sure that the forum and friendly resident guru pe1chl doesn’t look unfriendly, when someone else reads this topic, I’ll add few details.

What you’re doing is looking for “facebookcom” in every single tcp connection to any port. It will match hostname in plain unencrypted http requests to facebook, SNI hostname in https requests to facebook, but also any http page containing this string anywhere, files transferred over ftp, it they contain it, etc. So it will block connections to FB, but it will also block a whole lot of other stuff, plus unnecessarily looking in all connections will not make the router happy, because it will use quite a lot of resources. It’s like getting rid of rats in the basement by blowing up the house. True, the rats will be gone alright…

6

Well, both are you as the Guru, I don’t and can’t argue with you. I just share my experiment which am I successfully implementing in Mikrotik ROS 5.26 and believe me it works for me perfectly, from this method I just filter websites Dst IPs and block them for specific Src IPs. You can check this configuration, all IPs are Facebook IPs.

7

Please read again what Sob wrote: your solution will probably block facebook just fine, but it has lots of disadvantages.
Also I think it is unfortunate that so many beginning sysadmins are obsessed with blocking sites to their users, that the take this
on as a first project before they even have investigated how to properly manage their router (including how to update its software)…

8

Not exactly. Big names, as FB, Google, Microsoft, hosts their data on many data-centers worldwide, which hosts also data for many other organizations. By blocking their addresses, You will block all services from these IP, i.e., software updates. If this is only for You, be happy. If You are serving data for customers, forget this method.

9

I 100% agree with this…

10

I find the new feature introduced in Router OS v6.41 which matches packets using “tls-host” very useful in dropping packets to https sites. I suggest you give it a try as it is very simple and straight forward. It will achieve the same purpose with few lines of command.

11

In this posting you can find more domain names for facebook, Instagram and WhatsApp that can be filtered.

http://forum.mikrotik.com/t/https-443-proxy-configuration/106671/7

I use a DNS filter that returns a dummy IP so that the traffic does not go anywhere. If n user uses a VPN then it can use an external DNS avoid my filter.

Facebook, Google and others put often dedicated content servers inside the network of your ISP that rely on the DNS of your ISP.

12

this method just works when clients wants to resolve facebook.com form
if client use dnscrypt this method wont work
but with tls_host every thing is fine

13

Advice of the original poster is misleading, incomplete and I do not suggest to use this method to block websites. In addition to false positives, you will also kill the CPU of your router.

Why not use the new tls-host matcher in firewall instead?

14

I came from Google search. My local Mikrotik vendor has this article: http://www.mikrotik.co.id/artikel_lihat.php?id=282

But I can’t figure out how to make it as a whitelist. That article explain how to blacklist HTTPS connection to Facebook. I just want to allow some HTTPS to defined websites e.g bank institutions and WhatsApp. I don’t want blacklist approach.

15

Not first person with similar advice… I saw so many that I already put in my bookmarks specific time from your coleague’s presentation: https://youtu.be/XkKj9rj4quQ?t=25m54s
Unfortunately neither “correct - old” method or new tls-host method is bullet proof. What is most annoying is the fact, that for example youtube started using QUIC protocol. Availability of the protocol is cached so anyone who ever visited youtube in past (and who is using browser supporting QUIC) will not even once hit the tls-host as everything goes through UDP

16

You will have to understand that there are different agendas here, and the large and powerful companies are working to make it unrealistic to block their services while the small connectivity providers want to block things they don’t see as useful or they feel are overloading their limited connections.
There are many topics about this on the forum, and everywhere you see the “solutions” that fail to achieve their goal (blocking) but in the meantime have undesired effects like blocking of unrelated services and overloading the router.
Unless you have unlimited amount of time and a good budget, you better not try to achieve your bandwidth limiting objectives by “blocking youtube”. It is a lost race.
And when you need to “block facebook” e.g. because your employees are spending their worktime on their phones instead of on their job, you better use other methods to achieve better productivity. Blocking isn’t going to work well and it will need continuous maintenance and attention.

17 
And when you need to "block facebook" e.g. because your employees are spending their worktime on their phones instead of on their job, you better use other methods to achieve better productivity

Gosh! so true - this should be written in legislation.
I had request like that just month ago after one of my clients realized that I can do more than just plug in router..

I understand what you mean. I was just trying to spread the word, that block of youtube is nowadays almost impossible and blocking facebook is… well.. it has to be done correctly and still, there is no guarantee it will work.

18

Once you have successfully blocked facebook you will notice that “entirely legitimate for business use” services like “prezi” will suddenly be inaccessible to the users that “use their facebook account to login”.
That is of course a very clever move by facebook: offer your authentication mechanism to other services and implement it in such a way that it is not possible to block your main service and at the same time allow that authentication service to function.